구글 플레이스토어(Google Play Store)가 자동차 경주 게임을 사칭한 악성 앱 13개를 삭제했다고 20일(현지시각) 보도했다.
보안 업체 이셋(ESET)의 연구원인 루카스 스테판코(Lukas Stefanko)가 최초로 이 앱들을 발견했으며, 이미 오랜 방치로 인해 58만 명의 사용자가 앱을 다운로드 한 상태였다.
자동차 경주 게임 앱 13개 중 두 개는 인기 급상승 차트에 오르며, 다운로드 수가 급격히 늘어난 것으로 알려졌다.
이 악성 앱을 실행할 시 버그로 인해 앱이 강제 종료되는 것처럼 보이지만, 실제로는 이스탄불의 앱 개발자에게 등록된 다른 도메인에서 말웨어(malware)가 설치된다.
말웨어가 성공적으로 설치된다면, 안드로이드 기기의 모든 네트워크 트래픽을 가로채 모니터 할 수 있는 권한이 생겨, 개인 정보가 위험에 노출되는 것으로 알려졌다.
구글은 작년에만 구글 플레이스토어에서 70만 개 이상의 악성 앱을 삭제하며 보안을 강화하겠다고 설명했다.
하지만, 악성 앱 13개가 방치되어 있던 사실이 추가로 발견되며, 구글 플레이스토어의 허술한 보안에 대한 비난은 커질 것으로 보인다.
More than half a million users have installed Android malware posing as driving games — from Google’s own app store.
Lukas Stefanko, a security researcher at ESET, tweeted details of 13 gaming apps — made by the same developer — which were at the time of his tweet downloadable from Google Play. Two of the apps were trending on the store, he said, giving the apps greater visibility.
Combined, the apps surpassed 580,000 installs before Google pulled the plug.
Anyone downloading the apps were expecting a truck or car driving game. Instead, they got what appeared to be a buggy app that crashed every time it opened.
In reality, the app was downloading a payload from another domain — registered to an app developer in Istanbul — and installed malware behind the scenes, deleting the app’s icon in the process. It’s not clear exactly what the malicious apps do; none of the malware scanners seemed to agree on what the malware does, based on an uploaded sample to VirusTotal. What is clear is that the malware has persistence — launching every time the Android phone or tablet is started up, and has “full access” to its network traffic, which the malware author can use to steal secrets.
We reached out to the Istanbul-based domain owner, Mert Ozek, but he did not respond to our email. (If that changes, we’ll update).
It’s another embarrassing security lapse by Google, which has long faced criticism for its backseat approach to app and mobile security compared to Apple, which some say is far too restrictive and selective about which apps make it into its walled garden.
Google has spent years trying to double down on Android security by including better security features and more granular app permission controls. But the company continues to battle rogue and malicious apps in the Google Play app store, which have taken over as one of the greatest threats to Android user security. Google pulled more than 700,000 malicious apps from its app store last year alone, and has tried to improve its back-end to prevent malicious apps from getting into the store in the first place.
And yet — clearly — that isn’t enough.
When reached, a Google spokesperson did not immediately comment.